CERT-In Advisory
CIAD-2016-0086
Distributed Denial of Service (DDoS) Attacks from non-traditional Sources
Original Issue Date: December 23, 2016
Description
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from
multiple sources. They target a wide variety of important resources, like banks ,eCommerce websites, Internet Service Providers (ISPs)
etc., and present a major challenge to people who publish and access important information. Attackers launch DDoS attacks from
wide variety of internet connected sources like compromised web servers, botnets (malwares),vulnerable misconfigured UDP based services
(Open DNS resolvers,NTP,SSDP, SNMP, Chargen ).Attackers changes their tactics & chosen attack vectors time to time .
Nowdays, attackers are exploiting the unsecured internet connected embedded IoT (Internet of Things) devices to launch DDoS
attacks against their targets.
There are much reasons for choosing Internet of things (IoT) devices as DDoS attack vectors because IoT devices could be remotely
accessed via easily guessable login credentials. These are usually factory default usernames and passwords and limitations of their
operating system and processing power,sothey may not include any advanced security features.
Embedded devices are often designed to be plugged in and forgotten after a very basic setup process. Many don't get any firmware
updates or owners fail to apply them and the devices tend to only be replaced when they've reached the end of their lifecycle. As a
result, any compromise or infection of such devices may go unnoticed by the owner and this presents a unique lure for the remote
attackers.
Most of the embedded IoT devices are shipped with Linux operation systems (different CPU architecture in design) and SSH & Telnet
services being enabled.
Example of Embedded Internet-of-Thing (IoT) devices:
- Digital video recorders (DVRs)
- CCTV video cameras
- Smart TVs
- Printers
- Webcams
- Surveillance (IP) cameras
- home routers
- Cable television set-top boxes
- Satellite set-top boxes
IoTBotnet (Malware)
Recently, IoT devices have been used to create large-scale botnets (networks of devices infected with self-propagating malware )
that can execute crippling distributed denial-of-service (DDoS) attacks.
About Mirai Malware
Mirai is a piece of malware that infects IoT devices and is used as a launch platform for DDoS attacks.
Mirai is built for two core purposes:
- Locate and compromise IoT devices to further grow the botnet.
- Launch DDoS attacks based on instructions received from a remote C&C.
Tactics used by Mirai Malware
Mirai performs wide-ranging scans of IP addresses. The purpose of these scans is to locate under-secured IoT devices (insecure
routers, IP cameras, digital video recorders and other easily hackable devices.) .The Mirai bot uses a short list of common default
usernames and passwords to scan for vulnerable devices.
Mirai uses a brute force technique for guessing passwords / dictionary attacks over IoT device enabled SSH (TCP Port 22) and
Telnet services (TCP Port 23 / 2323).
Mirai's attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks. When attacking HTTP
floods, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message
Protocol) floods, DNS floods and UDP flood attacks.
Mirai's attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks. When attacking HTTP
floods, Mirai bots hide behind the predefined & customized default user-agents.
Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message
Protocol) floods, DNS floods and UDP flood attacks.
Mirai malware powered botnets are capable of generating hugh amount of traffic (e.g more than 600 Gbps)against any chosen targets.
Preventive Countermeasures
- Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found
on the Internet, making devices with default passwords extremely vulnerable.
- Update IoT devices with security patches as soon as patches become available.
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
- Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes
with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network
with a secured Wi-Fi router.
- Understand the capabilities of any IoT devices intended for at-home use. If the device transmits data or can be operated remotely, it
has the potential to be infected.
- Monitor Internet Protocol (IP) port 2323/TCP,Port 22/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices
using the network terminal (Telnet) protocol
- Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the
threat actor.
References
https://www.us-cert.gov/ncas/alerts/TA16-288A
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-286-01
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
https://isc.sans.edu/forums/diary/What+is+happening+on+2323TCP/21563/
http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/
http://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
https://www.arbornetworks.com/blog/asert/mirai-iot-botnet-description-ddos-attack-mitigation/
https://www.arbornetworks.com/blog/insight/perspective-iot-devices-ddos-attacks/
http://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|